CVE-2015-2792
WPML < 3.1.8 - Unauthenticated Arbitrary Action Execution via Multiple Action Parameters
Title source: llmDescription
The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter.
References (4)
Core 4
Core References
Exploit x_refsource_misc
http://klikki.fi/adv/wpml.html
Vendor Advisory x_refsource_confirm
http://wpml.org/2015/03/wpml-security-update-bug-and-fix/
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Mar/79
Exploit x_refsource_misc
http://packetstormsecurity.com/files/130839/WordPress-WPML-Missing-Authentication.html
Scores
EPSS
0.0380
EPSS Percentile
88.7%
Details
CWE
CWE-284
Status
published
Products (1)
wpml/wpml
< 3.1.8
Published
Mar 30, 2015
Tracked Since
Feb 18, 2026